Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-01-2023 11:08
Static task
static1
Behavioral task
behavioral1
Sample
AppSetup.rar
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
AppSetup.rar
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
AppSetup.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
AppSetup.exe
Resource
win10v2004-20221111-en
General
-
Target
AppSetup.rar
-
Size
5.6MB
-
MD5
3320baa8777b655d4be63fb56a35f875
-
SHA1
9f1f90e1ab9feb0396f4e7d921d56a97b527ffb4
-
SHA256
2f626154e982310a3efc265a8c279dea6c857dac99a96ae698cd797f9dcac174
-
SHA512
69a542eabe263575e56f51902213d024786e62f117943ad724d86c54a54d02d299a4c0f77fced040b435e24fc8f18dd87c3869c7b02bd512acc2db29d7a9e5ee
-
SSDEEP
98304:yiJu9vxyWDY0NXBn7bv4ML50l30EZFZNAAKv64rOtMKzsfB1lKIBFty:yl9pyKlNx7bv4ML50xnFZqAKv64r4I1m
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 396 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 396 vlc.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
vlc.exepid process 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe 396 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 396 vlc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1744 wrote to memory of 1464 1744 cmd.exe rundll32.exe PID 1744 wrote to memory of 1464 1744 cmd.exe rundll32.exe PID 1744 wrote to memory of 1464 1744 cmd.exe rundll32.exe PID 1464 wrote to memory of 396 1464 rundll32.exe vlc.exe PID 1464 wrote to memory of 396 1464 rundll32.exe vlc.exe PID 1464 wrote to memory of 396 1464 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AppSetup.rar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AppSetup.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\AppSetup.rar"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx